Learn the science of Cryptography and how it plays a role in computer forensics.

Applied Decryption is an intensive, hands-on course that reviews current encryption technology and provides the knowledge
and skills necessary to recover passwords using PRTKTM and DNATM. This course introduces advanced cryptography
concepts, including encryption standards and file recovery strategies. Participants are guided through a basic cryptographic
system, including the elements used to create a File Encryption Key (FEK), passwords, hash functions, salt, passkey, and the
FEK itself.

Participants are also introduced to AccessDataTM decryption technology software. The course outlines how Password
Recovery ToolkitTM (PRTK) and Distributed Network AttackTM (DNA) recover passwords from common applications, including
the types of attacks that may be employed. It also reviews PRTK and DNA features and functions, including how to start attack
sessions, how to import dictionaries, how to create attack profiles, and how to report Session/Job properties information.

Also key to this course is AccessData Decryption Methodology. Students review tactics like generating dictionaries based on
suspect intelligence or exporting a word list from FTK, then importing the word list in PRTK or DNA to build an attack profile.

After setting up the framework of decryption tools and strategies, this course focuses on how to attack specific encryption
technologies, including:

PGP: Participants review digital signatures and certificates, with a specific discussion about the PGP Web of Trust—

including how the Web of Trust can be implemented, methods a third-party may use to infiltrate the group, and man-in-the-

middle attacks.

Encrypted Containers: Participants first learn how a virtual container file is viewed with a forensic tool when it is not

mounted with the native application. This is followed by a discussion of how to recover passwords for encrypted containers
so that you can natively mount the volume. Participants also discuss best-practice procedures to acquire a forensic image of
the mounted virtual container using FTK Imager.

EFS: Participants gain an understanding of how the Encrypting File System (EFS) works and how EFS file data can be
recovered. Participants learn where Windows stores the encryption and decryption keys and how to exploit weaknesses
within the Windows operating system to obtain these keys and decrypt the data. They are also given detailed instruction on
the steps required for FTK to decrypt EFS file data on Windows 2000 and Windows XP SP1 systems.

Data Within Data: Participants are introduced to steganography—the concept of data concealed within data—and how to
forensically process such files.

System BitLocker and BitLocker To Go: Participants review some of the core functions related to acquiring BitLocker-
encrypted evidence. Participants first learn how to identify an encrypted volume. The course then presents different ways to
decrypt and forensically acquire data from a BitLocker-protected drive.

Prerequisites:

This course is intended for forensic investigators with experience in forensic case work and a basic working knowledge of FTK,
FTK Imager, Registry Viewer, and PRTK.

To obtain the maximum benefit from this course, you should meet the following requirements:
• Able to understand course curriculum presented in English